/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership. The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License. You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

/*
 * XSEC
 *
 * WinCAPICryptoProvider := Base class to handle Windows Crypto API
 *
 * Author(s): Berin Lautenbach
 *
 * $Id: WinCAPICryptoProvider.hpp 1817863 2017-12-11 22:47:43Z scantor $
 *
 */

#ifndef WINCAPICRYPTOPROVIDER_INCLUDE
#define WINCAPICRYPTOPROVIDER_INCLUDE

#include <xsec/framework/XSECDefs.hpp>
#include <xsec/enc/XSECCryptoProvider.hpp>

#if defined (XSEC_HAVE_WINCAPI)

#if defined (_WIN32_WINNT)
#    undef _WIN32_WINNT
#endif
#define _WIN32_WINNT 0x0400
#include <wincrypt.h>


// For older versions of wincrypt.h

#if !defined (PROV_RSA_AES)
#    define PROV_RSA_AES      24
#    define ALG_SID_AES_128   14
#    define ALG_SID_AES_192   15
#    define ALG_SID_AES_256   16
#    define ALG_SID_AES       17
#    define CALG_AES_128      (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_AES_128)
#    define CALG_AES_192      (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_AES_192)
#    define CALG_AES_256      (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_AES_256)
#endif

#define WINCAPI_BLOBHEADERLEN   0x08
#define WINCAPI_DSSPUBKEYLEN    0x08
#define WINCAPI_DSSSEEDLEN      0x18
#define WINCAPI_RSAPUBKEYLEN    0x0C

/**
 * @defgroup wincapicrypto Windows Crypto API Interface
 * @ingroup crypto
 * The WinCAPI crypto provides an experimental inerface to
 * the Windows Cryptographic API.
 *
 * All initialisation of the Windows providers needs to be done
 * by the calling application.  The interface will call the provided
 * DSS (PROV_DSS) provider and RSA (PROV_RSA_FULL) provider to perform
 * cryptographic functions.
 *
 * The tools use the default providers, but the calling application
 * can use any providers that implement PROV_DSS and PROV_FULL_RSA.
 *
 * Note that, unlike the OpenSSL classes, the various implementation 
 * classes all require their owner provider class to be passed into
 * the constructor.  This allows them to access the RSA and DSS CAPI
 * providers being used for the implementation.
 *
 * @todo Need to allow the various classes to over-ride the PROV
 * objects to allow specific private key instances rather than one
 * instance across the library instance.
 */
 /*\@{*/

class XSEC_EXPORT WinCAPICryptoProvider : public XSECCryptoProvider {


public :

    /** @name Constructors and Destructors */
    //@{
    /**
     * \brief Create a Windows CAPI interface layer
     *
     * Windows CSPs work under a provider model.  The user should specify
     * which CSP to use.
     *
     * @param provDSSName Name of DSS provider - must be of type PROV_DSS.
     * Will use the default Windows DSS provider if nothing passed in.
     * @param provRSAName RSA provider - must be of type PROV_RSA_FULL.
     * Will use the default RSA_FULL provider if nothing passed in
         * @param dwFlags If you are running XSEC as service you should specify
         * CRYPT_MACHINE_KEYSET here
     */

    WinCAPICryptoProvider(LPCSTR provDSSName = NULL, LPCSTR provRSAName = NULL, DWORD dwFlags = 0);

    virtual ~WinCAPICryptoProvider();

    //@}

    /** @name Hashing (Digest) Functions */
    //@{

    /**
     * \brief Get the provider's maximum digest length.
     *
     * Call used by the library to max out the buffer sizes it uses.
     *
     * @returns maximum size to allow for
     */
    virtual unsigned int getMaxHashSize() const;

    /**
     * \brief Return a hashing implementation.
     *
     * Call used by the library to obtain a hashing implementation from the
     * provider.
     *
     * @returns a pointer to a hashing object.
     */
    virtual XSECCryptoHash* hash(XSECCryptoHash::HashType type) const;

    /**
     * \brief Return an HMAC implementation.
     *
     * Call used by the library to obtain an HMAC implementation from the
     * provider.  The caller will need to set the key in the hash
     * object with an XSECCryptoKeyHMAC using XSECCryptoHash::setKey().
     *
     * @returns a pointer to the hashing object.
     */
    virtual XSECCryptoHash* HMAC(XSECCryptoHash::HashType type) const;

    /**
     * \brief Return a HMAC key
     *
     * Sometimes the library needs to create an HMAC key (notably within
     * the XKMS utilities.
     *
     * This function allows the library to obtain a key that can then have
     * a value set within it.
     */

    virtual XSECCryptoKeyHMAC* keyHMAC(void) const;

    //@}

    /** @name Encoding functions */
    //@{

    /**
     * \brief Return a Base64 encoder/decoder implementation.
     *
     * Call used by the library to obtain a Base64
     * encoder/decoder.
     *
     * @note Windows providers do not implement Base64, so the internal
     * implementation (XSCrypt) is used instead.
     *
     *
     * @returns Pointer to the new Base64 encoder.
     * @see XSCryptCryptoBase64
     */

    virtual XSECCryptoBase64* base64() const;

    //@}

    /** @name Keys and Certificates */
    //@{

    /**
     * \brief Return a DSA key implementation object.
     *
     * Call used by the library to obtain a DSA key object.
     *
     * @returns Pointer to the new DSA key
     * @see WinCAPICryptoKeyDSA
     */

    virtual XSECCryptoKeyDSA* keyDSA() const;

    /**
     * \brief Return an RSA key implementation object.
     *
     * Call used by the library to obtain an WinCAPI RSA key object.
     *
     * @returns Pointer to the new RSA key
     * @see WinCAPICryptoKeyRSA
     */

    virtual XSECCryptoKeyRSA* keyRSA() const;

    /**
     * \brief Return an EC key implementation object.
     *
     * Call used by the library to obtain an WinCAPI EC key object.
     *
     * @returns Pointer to the new EC key
     */

    virtual XSECCryptoKeyEC* keyEC() const;

    /**
     * \brief Return a key implementation object based on DER-encoded input.
     *
     * Call used by the library to obtain a key object from a DER-encoded key.
     *
     * @param buf       DER-encoded data
     * @param buflen    length of data
     * @param base64    true iff data is base64-encoded
     * @returns Pointer to the new key
     */

    virtual XSECCryptoKey* keyDER(const char* buf, unsigned long buflen, bool base64) const;

    /**
     * \brief Return an X509 implementation object.
     *
     * Call used by the library to obtain an object that can work
     * with X509 certificates.
     *
     * @returns Pointer to the new X509 object
     * @see WinCAPICryptoX509
     */

    virtual XSECCryptoX509* X509() const;

    //@}

    /** @name Windows CAPI Specific methods */
    //@{

    /**
     * \brief Returns the Crypto Provider being used for DSS
     */

    HCRYPTPROV getProviderDSS(void) {return m_provDSS;}

    /**
     * \brief Returns the Provider being used for RSA functions
     */

    HCRYPTPROV getProviderRSA(void) {return m_provRSA;}

    /**
     * \brief Return the internal key store provider
     */

    HCRYPTPROV getApacheKeyStore(void) {return m_provApacheKeyStore;}

    /**
     * \brief Translate B64 I2OS integer to a WinCAPI int.
     *
     * Decodes a Base64 (ds:CryptoBinary) integer and reverses the order to
     * allow loading into a Windows CAPI function.  (CAPI uses Little Endian
     * storage of integers).
     *
     * @param b64 Base 64 string
     * @param b64Len Length of base64 string
     * @param retLen Parameter to hold length of return integer
     */

    static BYTE* b642WinBN(const char* b64, unsigned int b64Len, unsigned int& retLen);

    /**
     * \brief Translate a WinCAPI int to a B64 I2OS integer .
     *
     * Encodes a Windows integer in I2OSP base64 encoded format.
     *
     * @param n Buffer holding the Windows Integer
     * @param nLen Length of data in buffer
     * @param retLen Parameter to hold length of return integer
     * @returns A pointer to a buffer holding the encoded data
     * (transfers ownership)
     */

    static unsigned char* WinBN2b64(BYTE* n, DWORD nLen, unsigned int &retLen);

    /**
     * \brief Determine whether a given algorithm is supported
     *
     * A call that can be used to determine whether a given
     * symmetric algorithm is supported
     */

    virtual bool algorithmSupported(XSECCryptoSymmetricKey::SymmetricKeyType alg) const;

    /**
     * \brief Determine whether a given algorithm is supported
     *
     * A call that can be used to determine whether a given
     * digest algorithm is supported
     */

    virtual bool algorithmSupported(XSECCryptoHash::HashType alg) const;

    /**
     * \brief Return a Symmetric Key implementation object.
     *
     * Call used by the library to obtain a bulk encryption
     * object.
     *
     * @returns Pointer to the new SymmetricKey object
     * @see XSECCryptoSymmetricKey
     */

    virtual XSECCryptoSymmetricKey* keySymmetric(XSECCryptoSymmetricKey::SymmetricKeyType alg) const;

    /**
     * \brief Obtain some random octets
     *
     * For generation of IVs and the like, the library needs to be able
     * to obtain "random" octets.  The library uses this call to the
     * crypto provider to obtain what it needs.
     *
     * @param buffer The buffer to place the random data in
     * @param numOctets Number of bytes required
     * @returns Number of bytes obtained.
     */

    virtual unsigned int getRandom(unsigned char * buffer, unsigned int numOctets) const;


    //@}

    /** @name Information Functions */
    //@{

    /**
     * \brief Returns a string that identifies the Crypto Provider
     */

    virtual const XMLCh* getProviderName() const;

    //@}


private:
    HCRYPTPROV        m_provDSS;
    HCRYPTPROV        m_provRSA;
    HCRYPTPROV        m_provApacheKeyStore;
    LPCSTR            m_provDSSName;
    LPCSTR            m_provRSAName;
    bool              m_haveAES;
    DWORD             m_provRSAType;

};

/*\@}*/

#endif /* XSEC_HAVE_WINCAPI */
#endif /* WINCAPICRYPTOPROVIDER_INCLUDE */

